Prepared by:

Jing Hui, Ivan, Syuqri and Claudia

1

Acknowledgement

IMPORTANTiTrust acknowledges that any and all software and/or tools presented in this workshop are the sole property of their respective trademark / registered / copyright owners.

2

Warning !

Please do not use the tools provided for unethical purposes.

3

4

Time Agenda

9.00 – 9.30am Introduction to iTrust and the Internet of Things (IoT)

9.30 – 10.30am Introduction to Networking

10.30 – 10.45am Break

10.45 – 12.30am Ethical Hacking and Cyber Security

12.30 – 1.30pm Lunch

1.30 – 3.30pm Compromising IoT Devices 1

3.30 - 345pm Break

3.45 – 4.45pm Compromising IoT Devices 2

4.45 – 4.55pm Closing

4.55 – 5.25pm Tour of iTrust labs

5.25 – 5.30pm Workshop evaluation

Who are we?

5

Funding Focus Areas

CPS Enterprise Security IoT

Collaborators

Distinctive Values

Section 1Before We Start….

6

Cyber Security Considerations

7

Infrastructure (e.g. banking, energy, water, transport)

Company (e.g. wireless vulnerability, secured networks)

Personal (e.g. data privacy, cybercrime)

Introduction to IoT

• What is IoT ?

The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.

Compromised IoT devices

IoT - Problems

• Additional attack vectors for hackers to compromise.

• As this is something relatively new, no proper methods or standards for securing such device.

• When talking about IoT security, should we be concern about the privacy issues as well ?

Section 2Networks

11

http://25ffhnaechrbzwf3.onion/

Network – LAN / WAN

13

Network – LAN / WAN

14

Network – IP / MAC Address

15

Network – IP / MAC Address

16

How the internet works

17

OSI 7 Layers

18

OSI 7 Layers

19

Types of Protocol

20

What is a Wireless

• Wireless networking is a method by which homes, telecommunications networks and enterprise (business) installations avoid the costly process of introducing cables into a building, or as a connection between various equipment locations.

21

Types of wireless transmissionThere are 3 different ranges for wireless transmission

Short-range

• Infrared

• Bluetooth

Medium-range

• 802.11a/b/g/n/AC

Long-range

• Worldwide Interoperability for Microwave Access or WiMAX

• Global System for Mobile Communications or GSM

22

Wireshark

• Wireshark is a network packet/protocol analyzer.

• A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.

23

• Exercise 1 – Wireshark1. Observe network traffic

2. Find the 3 way handshake

3. Dissect the skype pcap file to see what information can one find

Summary

• What is a LAN/WAN ?

• Components of a network

• How does the internet function ?

• Wireless communication and monitoring

• Wireshark

Section 3Introduction To Ethical Hacking

26

Introduction To Ethical Hacking

27

Hacking Phases

28

Cyber Kill Chain

29

Objectives of Reconnaissance

30

Types of Scanning

31

Scanning – nmap (Hands-on)

• Nmap (nmap.org)• AdminR privilege – ICMP ping sweep, ARP ping, ICMP TIMESTAMP message & TCP

ping @ port 80 & 443 • Non-AdminR privilege – TCP ping only

• -sn : skip port scanning• -PE : skip ARP resolution• --send-ip <IP Addr> : only for same segment else ignore• e.g. : nmap –sn –PE –send-ip x.x.x.x

Caution : IDS monitoring (e.g. Snort – snort.org)

32

Scanning – nmap (Hands-on)

• Nmap (nmap.org)• Hybrid-type of attack (ARP, ICMP & TCP)• e.g. nmap –Pn –sS –p 22 –open x.x.x.x/24

• -Pn : ignore host discovery, scan default 1,000 common ports• -sS –p 22 –open : only output hosts that have port 22 open• x.x.x.x/24 : network segment identity

Caution : Scanning large numbers of ports is dangerous

33

• Nmap (nmap.org)• -oG : tab-delimited output file• -oX : XML output file• -oA : all formats output file• -f : fragment the packets (to avoid simple packet-filtering device/IDS)• -D : decoy (decoy addr must be alive, otherwise SYN-flood & DOS conditions)• e.g.

• Nmap –sF x.x.x.x/24 –oN outputfile• nmap –sS x.x.x.x –D y.y.y.y

Caution : Sophisticated/modern packet-filtering devices & application-based firewall will queue all IP fragments

Scanning – nmap (Hands-on)

34

Denial of Service (DOS) Attack

35

Symptoms of DOS Attack

36

Unavailability of website

Inability to access any website

Unusual slow network performance

Dramatic increase in email spams

Type of DOS / DDOS

37

Volume Based AttacksIncludes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).

Protocol AttacksIncludes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.

Application Layer AttacksIncludes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.

DDOS Attack (Case Study)

38

DDOS Attack (Case Study)

39

DDOS Attack Tools

• LOIC - Low Orbit Ion Canon (sourceforge.net/projects/loic/)

• XOIC (sourceforge.net/projects/xoic/)

• HULK - HTTP Unbearable Load King (packetstormsecurity.com/files/112856/HULK-Http-Unbearable-Load-King.html)

• DDOSIM - Layer 7 DDOS Simulator (sourceforge.net/projects/ddosim/)

• R-U-Dead-Yet (code.google.com/p/r-u-dead-yet/)

• TOR’s Hammer (packetstormsecurity.com/files/98831/)

40

DDOS Hands-On

LOIC - Low Orbit Ion Canon

41

Understanding Malwares

Virus. A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels.

Worm. A sub-class of a virus. It has the capability to travel without any human action. A worm takes advantage of file or information transport features on your system, which is what allows it to travel unaided.

Trojans. Malicious code to cause serious damage by deleting files and destroying information on your system. It can create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Does not reproduce or self-replicate.

A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one single threat. (APT)

42

Advanced Persistent Threat (APT)

• An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.

43

Data Exfilitration Using Advanced Techniques

https://www.youtube.com/watch?v=RChj7Mg3rC4

Summary

• Cyber kill chain

• Nmap

• What is a botnet, DDoS ?

• Malware classification

• APTs and how do they steal data from an organization

Section 4Introduction To Cyber Security

46

Encryption

47

Encryption

• What is encryption ?

48

Caesar’s Cipher

• Each letter is replaced by a letter some fixed number of positions down the alphabet.

Encryption• Take for example, the encryption algorithm known as AES allows for

keys up to 256 bits.

• The formula for counting key spaces as such

Number of keys =2𝑥

Where X equals to the number of bits

• Let us take for an example, an RSA algorithm with 2048 bits

• The decimal representation will be, 3.231700607131100730071487668867𝑒616

50

Symmetric Encryption• All algorithms of the symmetric variety use a SINGLE key to encrypt

and decrypt information.

• In traditional cryptographic systems, the same key is used by the sender and receiver to both encrypt and decrypt the message.

• Some of the more common algorithms used are, 3DES, AES and Blowfish.

51

Asymmetric Encryption

52

RSA Algorithm

53

In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers

Key Signing Exercise

• https://www.cs.drexel.edu/~introcs/Fa11/notes/10.1_Cryptography/RSAWorksheetv4d.html - asymmetric

• https://encipher.it/ - symmetric

54

Hashing

• Difference between encryption and hashing ?

55

Password Cracker

Hands-onHash Generator

56

Salting

57

Salting

• In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.

58

In Conclusion

IS ENCRYPTION ENOUGH ?!Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.

59

Summary

• Encryption, symmetric and asymetric

• Hashing

• Difference between encryption and hashing

• Brute force attacks, dictionary attacks and pass the hash

Section 5The Internet of Not Really Secure Things

61

Top 10 vulnerabilities for IoT

Communications in IoT

WiFi Recap

• 802.11 Standard

• Suitable for long range communication

• Now, let’s discuss about its security…

Security concerns for Wifi

• WEP

• WPA

• WPA2

Bluetooth

• Short-wavelength UHF radio waves in the ISM band from 2.4 to 2.485 GHz

• Communicate with a maximum of seven devices in a piconet (an ad-hoc computer network using Bluetooth technology)

• Key pairing mechanisms

Security concerns for Bluetooth

• Prior to Bluetooth v2.1, encryption is not required and can be turned off at any time

• Key pairing mechanism can be sniffed and decrypted easily

IP Camera Exercise

Objectives

• Get access into the network

• Identify the IP camera that has been assigned (via MAC address)

• Identify traffic that is essential for getting access to IP camera’s stream

What is a MAC address?

• Media access control address, also called a physical address

• Unique identifier assigned to network interfaces for communications on the physical network segment

• OUI – Organizationally Unique Identifier

• Purchased by a vendor/manufacturer and assigned by Institute of Electrical and Electronics Engineers (IEEE)

OUI

00:1B:2F:BB:4C:98

Cracking Wi-Fi password

Step 0

• Type ifconfig to find the wireless interface name ie wlan*

• Navigate to appropriate directory in the terminal• cd Desktop > cd Scy\ Phy/ > cd Wi\ Fi/

• This will navigate it into the Scy Phy > Wi Fi folder

Step 1 – Starting monitor mode

• You are required to sniff the wireless traffic to determine which network do you want to gain access to.

• For wireless networks, we will be using a suite of tools called Aircrack-ng.

• To go into monitor mode, use the command ‘sudo airmon-ng start XXX’ where XXX is the interface which you would like to use.

Step 2 – Identify MAC address of AP

• Use the airodump-ng command in the terminal• Command: sudo airodump-ng <interface name>

• This will show you a list of available access points and their respective MAC address

• Do take note of the MAC address of the target access point -(AndroidAP)

Step 3 – Capturing packets using airodump

• Firstly, navigate to a folder of choice to store the captured packets• Example: cd Desktop

• Use the airodump-ng command in the terminal as follows• sudo airodump-ng -c <channel> --bssid <MAC address of AP> -w <name of output file>

<interface name>

• This will start a capture of packets on the access point

Step 4 – Deauthentication using aireplay

• This will prompt a reconnection of a target device to the network• Why do we want to do this?

• Use the command as follows• sudo aireplay-ng -0 1 -c <MAC of target device> -a <MAC of AP> -e <Access point name> <interface name> --ignore-

negative-one

• This will deauthenticate the target device and make it reconnect to the access point.

Step 5 – Deauthentication using aireplay

• This will prompt a reconnection of a target device to the network• Why do we want to do this?

• Use the command as follows• sudo aireplay-ng -0 1 -c <MAC of target device> -a <MAC of AP> -e <Access point name> <interface name> --ignore-

negative-one

• This will deauthenticate the target device and make it reconnect to the access point.

• Do the deauthentication attack multiple times to ensure that a four-way handshake is captured

Step 6 – Cracking password using aircrack

• This will be done using a dictionary attack• Do you remember what a dictionary attack is?

• Use the command as follows• sudo aircrack-ng -w <password list file> -b <MAC of access point> <name of .cap file you have saved>

• If the cracking is successful, a password can be seen in the terminal window

• Congratulations on cracking the password!

Hacking IP Camera

Step 1 – Nmap scan on network

• Use Nmap to do a quick scan on the network• nmap –T4 –F 192.168.0.0/24

• Identify target MAC address• B0:C5:54:xx:xx:xx

• Take note of the ports and services as well

Sample Nmap quick scan output

What is RTSP?

• Real Time Streaming Protocol (RTSP)

• Network control protocol designed for use in entertainment and communications systems to control streaming media servers

• The protocol is used for establishing and controlling media sessionsbetween end points.

Step 2 – Sniffing traffic using Wireshark

• Use Wireshark to sniff traffic• Filter traffic based on IP address

• ip.addr == 192.168.0.xxx

• Get useful information from traffic• Hint: Remember Nmap ports and services?

Sample Wireshark capture

Step 3 – Understanding the HTTP stream

• In the stream, you should notice that there is something called “Authorization: Basic ……”

• HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.

• Usually, the string of data is usually Base 64 encoded.

Step 3 – Accessing camera’s settings

• Input IP address into web browser• Example - 192.168.0.xxx

• This should prompt a login popup

• Verify success of prior procedures by keying in log in details

Step 4 – Figuring out what else we can do

• Remember the results of the Nmap scan?

• What other protocols or services are there?

Discussion

• Defence techniques ?

• How can one mitigate the attacks we just performed ?

Password Guidelines

• The longer the password, the harder it is to crack

• Always use a combination of characters, numbers and special characters

• Variety in passwords

• What to avoid while selecting your password• dictionary word

• easy to guess names and numbers

• sequence or repeated characters

• worst password list (password, 123456, 111111, iloveyou, etc)

• Question: Longer or complex better?

87

Password Guidelines

Fitbit

• Used to use unencrypted communication channel

• Synchronizes automatically with the mobile device over BLE

• So what does all this translate to for an attacker ?

Fitbit exercise

• Convert the fitbit.psd to fitbit.pcap using tibtle2pcap.py

• Dowloadable from https://github.com/joswr1ght/tibtle2pcap

• python tibtle2pcap.py fitbit.psd output.pcap

• wireshark output.pcap

Crackle – Tool for cracking BLE pairing keys

• Cracks BLE key exchange

• Exploits a flaw in the pairing mechanism

• Brute force the TK and derive all further keys

• Can even obtain the LTK

• Decrypt the entire communication

Discussion

• Privacy issues ?

• How can an activity tracker be better designed ?

Conclusion

• Thoughts on IoT

• Security and privacy concerns brought by IoT

• Next gen malwares

Questions ?

Email : jinghui_toh@sutd.edu.sg & ivan_lee@sutd.edu.sg